Tcpdump data collection

Nathan Ward nanog at
Wed Dec 3 01:33:13 UTC 2008

On 3/12/2008, at 2:19 PM, Subba Rao wrote:

> Hello,
> I want to collect data on a network and map the data flow and system/ 
> port traffic. There are 2 scenarios of data collection here.  The  
> first is to collect IP traffic only.  In this method I do not want  
> the data portion of the IP packet (need IP address, source/ 
> destination ports etc).
> The second is to collect traffic that will show all the routing  
> protocols (non-IP) used on this network.  Today while collecting the  
> data, I saw several HSRP packets.  I don't know what portion of the  
> packet is sufficient to capture for this purpose.
> I used the "-s 0" option on tcpdump which captures the whole  
> packet.  That is making the dump file large.  Any help with the  
> filters is appreciated to capture the non-data portion of the packets.
> Thank you in advance.

I strongly recommend having a look through this to find out what rules  
you want (ie. plain English):

Then, go about mapping them in to tcpdump/pcap/bpf/whatever filter  
format, a quick Google suggests this as a good resource:

You might also consider using netflow instead of tcpdump, there are  
lots of tools available for processing netflow data in ways that are  
useful to network operators.

Nathan Ward

More information about the NANOG mailing list